8.3 Configuring Methods

The Methods page contains settings that allow you to configure the authentication methods.

To configure an authentication method for Advanced Authentication, perform the following steps:

Open the Methods section. The list of available authentication methods are displayed.
Click Edit next to the authentication method.
Edit the configuration settings for a specific authentication method.
Click Save.

You can configure the following methods:

Bluetooth - Enable reaction on device configuration.
Card- Tap&Go policy configuration.
Email OTP - Email message and One-Time Password related settings.
Emergency Password - security settings of Emergency Password method.
Fingerprint - a quality of fingerprint recognition settings.
LDAP Password- an option which allows to save LDAP Password.
OATH OTP - OATH TOTP/HOTP related settings. Also CSV/PSKC bulk import and token assignment.
Password - security settings of local password.
PKI- uploading trusted root certificates.
Radius Client - settings for to a third-party RADIUS server.
Security Questions - security questions and its security settings.
Smartphone - Smartphone method settings.
SMS OTP - One-Time Password related settings for SMS method.
Swisscom Mobile ID - settings for the Swisscom mobile ID method.
FIDO U2F - an option which allows to enable check of attestation certificate.
Voice - security settings of Voice method.
Voice OTP - settings for the Voice OTP method.

An authentication method itself cannot be linked to an event. You must create an Authentication Chain in order to configure the authentication for the user. It is also possible to create an Authentication chain with only one method in it.

For example: If you want to create Password and OTP authentication then you would create a chain with the Password and OTP methods in it. However, if you use only OTP for a certain event, then you can make an Authentication Chain using only the OTP in it.

8.3.1 Bluetooth

Advanced Authentication supports authentication using Bluetooth method. The settings allows to enable or disable the Enable reaction on device removal option.

By default Enable reaction on device removal option is enabled. When the Enable reaction on device removal option is enabled and logon to Windows is performed by Bluetooth, then Operating System automatically locks if the Bluetooth device is disabled or it is out of range.

NOTE:It is recommended to have Bluetooth method in a chain with another authentication method to increase security.

8.3.2 Card

Advanced Authentication supports the Microsoft policy Interactive logon: Smart card removal behavior that allows you to specify an action on the card event. You can configure it to perform a force log off or lock a user session when the user inserts a card to the reader. This is supported for Microsoft Windows only.The Enable Tap&Go policy is located on the Card page of Methods section. By default, the policy is disabled and the card should be left on the reader when a user logs in. When the user takes off the card from the reader, the Windows Client runs an action that is specified in the Interactive logon: Smart card removal behavior policy. If the Enable Tap&Go policy is set to ON, users can tap a card to log in, to lock a session, or to log off (depending on Interactive logon: Smart card removal behavior policy) without leaving their cards on the readers.

NOTE:The policy is supported for Microsoft Windows only and it is not supported for the PKI authenticators.

8.3.3 Email OTP

The Email OTP authentication method sends an email to the user's e-mail address with a One-Time-Password (OTP). The user receives this OTP and needs to enter it on the device where the authentication is happening. This authentication method is best used with a second method like Password or LDAP Password in order to achieve multi-factor authentication and to prohibit malicious users from sending SPAM to a user's email box with authentication requests.

The following configuration options are available:

OTP Period: the lifetime of an OTP token in seconds. By default 120 seconds.The maximum value for the OTP period is 360 seconds.
OTP Format: the length of an OTP token. By default 6 digits.
Sender email: the sender email address.
Subject: the subject of the mail sent to the user.
Format: format of an email message. By default, the plain text format is used. You can switch to HTML. HTML format allows to use embedded images. You can specify an HTML format of the message in the HTML field.
Body: (for plain text format), the text in the email that is sent to the user. The following variables can be used:
- {user} - the username of the user.
- {endpoint} - the device the user is authenticating to.
- {event} - the name of the event where the user is trying to authenticate to.
- {otp} - this is the actual One-Time-Password.

8.3.4 Emergency Password

The settings allows to configure the Emergency Password authentication method. The method can be used as temporarily solution for the users who forgot smartphone or lost a card. Enrollment of the method is allowed only by security officers. Users are not permitted to enroll it.

WARNING: Enabling this method’s use could be abused by an administrator who wants to take over another user’s account.

It is possible to manage the following security options:

Minimum password length. 5 characters by default. Usage of shorter passwords is not allowed.
Password age (days). 3 days by default. It means the password will expire in 3 days.
Max logons. 10 logons by default. The password becomes expired after 10 logons.
Complexity requirements. The option is disabled by default. If it's enabled the password must complain at least 3 of 4 checks:
- it should contain at least one uppercase character,
- it should contain at least one lowercase character,
- it should contain at least one digit,
- it should contain at least one special symbol.
Allow change options during enroll. If the option is enabled a security officer will be able to set Start date, End date and Maximum logons manually. The manual configuration overrides the settings in Emergency Password method.

8.3.5 Fingerprint

The fingerprint authentication method uses a fingerprint scanner to authenticate.

To configure the fingerprint authentication, perform the following steps:

Set the Similarity score threshold by moving the slider to the desired score.

NOTE:Default and recommended value for Similarity score threshold is 25. Reducing the score may result in different fingerprints getting validated.
Select the number of fingers to be enrolled.

NOTE:It is recommended to enroll more than one finger as injuries or minor cuts to enrolled finger may make it unusable.
Select the number of captures for the enrolled fingers.

NOTE:To improve the quality of the fingerprint enrollment, it is recommended to have multiple captures. The total number of captures including all the enrolled fingers cannot exceed 25.
Click Save.

8.3.6 FIDO U2F

You can configure certificate settings for the FIDO U2F authentication method. By default, Advanced Authentication does not require the attestation certificate for authentication by FIDO U2F compliant token. Ensure that you have a valid attestation certificate added for your FIDO U2F compliant tokens, when you configure this method. A Yubico attestation certificate is pre-configured in the Advanced Authentication appliance. Click Add to add a device manufacturer certificate that must be in a PEM format. To enable check of attestation certificate, switch the Require attestation certificate option to ON. You can also turn the Disable built-in certificate option to ON if you do not want to use the built-in Yubico attestation certificate.

IMPORTANT:To use the FIDO U2F authentication in Advanced Authentication Access Manager and for the OAuth2 event it's required to configure an external web service to perform enrollment and authentication for one domain name. Configuring a Web Server in order to use the FIDO U2F authentication

The YubiKey tokens may start to flash with delay when token is initialized in combo-mode (e.g. OTP+U2F). It may decrease user performance, as users have to wait when the token start to flash before enrollment or authentication. Therefore it's recommended to flash the tokens in U2F only mode if the rest modes are not needed.

Configuring a Web Server in order to use the FIDO U2F authentication

NOTE:This article is applicable for Debian 8 Jessie. The procedure may differ for other distributives.

These instructions will help you to configure web server in order to use FIDO U2F authentication in NetIQ Access Manager and for OAuth 2.0 event. According to FIDO U2F specification, enrollment and authentication must be performed for one domain name. NetIQ Access Manager and Advanced Authentication appliance are located on different servers, as a result it is required to configure web server which will perform port forwarding to:

Advanced Authentication appliance for the FIDO U2F enrollment
NetIQ Access Manager for further authentication using FIDO U2F tokens

Installing Nginx Web Server

To install Nginx web server to use it for URL forwarding, add these two lines to the /etc/apt/sources.list file:

deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all

Preparing SSL Certificate

To prepare SSL certificate, please run these commands:

mkdir –p /etc/nginx/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/proxy.key -out /etc/nginx/ssl/proxy.crt

Nginx Proxy Configuration

To prepare Nginx proxy configuration, add the following to the /etc/nginx/sites-available/proxy file:

server {
listen 443 ssl;
error_log /var/log/nginx/proxy.error.log info;
server_name nam.company.local;
ssl_certificate /etc/nginx/ssl/proxy.crt;
ssl_certificate_key /etc/nginx/ssl/proxy.key;
location ~ ^/account {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location ~ ^/static {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location ~ ^/admin {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://<appliance_IP>$uri?$args;
}
location / {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_read_timeout 300;
proxy_pass https://<NAM_IP>;
}
}

Create link and restart nginx service using the following commands:

ln -s /etc/nginx/sites-available/proxy /etc/nginx/sites-enabled/proxy
service nginx reload

DNS Entries

Please make sure that NAM name server corresponds to IP address of web server.

Enrollment

To enroll U2F, please open link https://<NAM_FQDN>/account. You will be forwarded to the enroll page of Advanced Authentication server appliance.

8.3.7 LDAP Password

The settings allows to configure security options for LDAP passwords (passwords stored in the used repository).

LDAP Password is required for Advanced Authentication Clients, because the Advanced Authentication Clients retrieve password from the Advanced Authentication Server to validate it. If you do not have a LDAP Password method in a used chain, a prompt is displayed to perform the synchronization. A prompt is displayed only for the first time if Save LDAP password option is set to ON until the password is changed or reset. A prompt for synchronization is displayed each time if the Save LDAP password option is set to OFF.

8.3.8 OATH OTP

OATH stands for Initiative for Open Authentication and is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication using One-Time-Passwords.

Advanced Authentication Framework supports two different types of OATH OTP and these are:

HOTP: counter based OTP
TOTP: time based OTP

To access the settings open Advanced Authentication, Methods section, click Edit button next to OATH OTP.

For the HOTP variant you can specify the following parameters:

OTP format, it determines how many digits the OTP token has. By default it's 6 digits. It can be changed to 4,6,7 or 8 digits. The value should be the same as the tokens you are using.
OTP window allows to specify a value, how much OTPs the Advanced Authentication Server will generate starting from the current HOTP counter value to match an HOTP entered by user during authentication. The default value is 10.This is required for the case when users use the tokens not only for authentication using Advanced Authentication, in each case of usage the HOTP counter increases on 1, so the counter will be out of sync between the token and Advanced Authentication Server. Also users can press the token button accidentally. The maximum value for the OTP window is 100000 seconds.

WARNING:Increasing of HOTP window value to more than 100 is not recommended, because it may decrease security by causing false matches.

During enrollment or HOTP counters synchronization in Self-Service Portal the Enrollment HOTP window equal to 100 000 is used. This is necessary because the HOTP tokens may be used during a long period before enrollment in Advanced Authentication and its value is unknown and could be even equal to some thousands. This is secure as users need to provide 3 consequent HOTPs.

The TOTP settings contain the following parameters:

OTP period (sec) allows to specify how often a new OTP is generated. A default value is 30 seconds. The maximum value for the OTP period is 360 seconds.
OTP format determines how many digits the OTP token has. By default it's 6 digits. It can be changed to 4,6,7 or 8 digits. The value should be the same as the tokens you are using.
OTP window, it allows to determine how many period may be used by Advanced Authentication Server for TOTP generation. E.g. we have a period of 30 and a window of 4, then the token is valid for 4*30 seconds before current time and 4*30 seconds after current time, which is 4 minutes. These configurations are used because time can be out-of-sync between the token and the server and that will otherwise impact the authentication.The maximum value for the OTP window is 64 periods.

IMPORTANT:You cannot use OTP window =32 and higher for four digit OTPs as it can lead to false matches and reduce security.
Google Authenticator format of QR code (Key Uri). By default the Advanced Authentication Auth smartphone app can be used to scan a QR code for enrollment of software token. The format of QR code is not supported by other apps. It's possible to switch Advanced Authentication to use the Google Authenticator or Microsoft Authenticator app instead of Advanced Authentication Authsmartphone app using the option.

IMPORTANT:OTP format must be set to 6 digits when you use the Google Authenticator or Microsoft Authenticator format of QR code.

Advanced Authentication Framework also supports the import of PSKC or CSV files. These are token files with token information in them. To do this follow the instruction below:

Go to the OATH Token tab.
Click Add button.
Click Choose File and add a PSKC or CSV file.
Choose a proper File type. It can be
- OATH compliant PSKC (e.g. for HID OATH TOTP compliant tokens).
- OATH csv, the CSV must complain the format described Format of CSV file which is supported for import of OATH compliant tokens. It's not possible to use the YubiKey CSV files.
- Yubico csv, it is required to use one of the supported Log configuration output (check YubiKey Personalization Tool - Settings tab - Logging Settings) formats with comma as a delimiter:
  - Traditional format. OATH Token Identifier option should be enabled.
  - Yubico format. It is supported only for HOTP Length set to 6 Digits and OATH Token Identifier set to All numeric.
  IMPORTANT: Moving Factor Seed should not be more than 100000.
It's possible to add the encrypted PSKC files. For the case switch PSKC file encryption type from Not Encrypted to Password or Pre-shared key and provide the information.
Click Upload to import tokens from the file.

NOTE: Advanced Authentication gets an OTP format from the imported tokens file and stores the information in the enrolled authenticator. So it's not required to change the default common value of OTP format on the Method Settings Edit tab.

When the tokens are already imported you see the list and it's required to assign the tokens to users. If can be done in two ways:

Click Edit button next to token and select Owner. Click Save button to apply the changes.
A user can self-enroll a token in the Advanced Authentication Self-Service Portal. Administrator should let the user know an appropriate value from Serial column to do it.

Format of CSV file which is supported for import of OATH compliant tokens

A CSV file which is importing as OATH csv file type in (Advanced Authentication Administrative Portal - Methods - OATH OTP - OATH Tokens tab) should fields with the following parameters:

token’s serial number,
token’s seed
a type of the token: TOTP or HOTP (optional, by default HOTP)
OTP length (optional, by default 6 digits)
time step (optional, by default 30 seconds)

Comma is a delimiter.

Example of CSV:

Token001, 15d2fa517d3c6b791bd4cc2044c241429307001f
Token002, 8c557fc050721037fd31e1d3345b5d3263263e0f, totp, 8
Token003, 658208efea5ac49d5331ba781e66f2c808cccc8e, hotp, 6
Token004, 89f0dfe1c90379da6a11aaca2fc1070f606efe36, totp, 6, 60

IMPORTANT:For the YubiKey tokens it's required to use Traditional format of the CSV (check YubiKey Personalization Tool - Settings tab - Logging Settings) with comma as a delimiter. Use Yubico csv file type (Advanced Authentication Administrative Portal - Methods - OATH OTP - OATH Tokens tab).

8.3.9 Password

The settings allows to configure security options for passwords stored in the appliance. They are applied, for example, for the appliance administrator and other local accounts.

NOTE:It's not recommended to use the Password method in chains which contain one factor. It's secure to combine it with other factors.

It's possible to manage the following settings:

Minimum password length.
Maximum password age. 42 days by default. It means the password will expire in 42 days. If it's set to 0 the password will not expire.
Complexity requirements. The option is disabled by default. If it's enabled the password must complain at least 3 of 4 checks:
- it should contain at least one uppercase character,
- it should contain at least one lowercase character,
- it should contain at least one digit,
- it should contain at least one special symbol.
If you need to rename the Password method to PIN, enable Rename to PIN to ON. The Password method is renamed to PIN in the Advanced Authentication Administrative Portal, Helpdesk Portal, Self Service Portal and Windows Client, Mac OS X Client, and the Linux PAM Client.

IMPORTANT:Notifications about expiring passwords are not yet supported. So the local administrator will not be able to sign-in to the Advanced Authentication Administrative Portal and users who use the method will not be able to authenticate after the password expiration. To fix it the administrator/user should go to the Self-Service Portal and change his/her password.

8.3.10 PKI

The section allows you to upload the trusted root certificates. The following requirements for the certificates must be met:

Root CA certificate must be in the .pem format.
All certificates in the certification path (except Root CA) must contain AIA and CDP http link to check revocation status.
The certificate for PKI device must contain a key pair: public and private key in the x509 format. The certificates that do not comply with the requirements are ignored (hidden during enrollment).

NOTE:Advanced Authentication supports p7b format of parent certificates. They can contain only Certificates and Chain certificates but not the Private key. They are Base64 encoded ASCII files having extensions .p7b or.p7c

Configuring the Environment for a Standalone Root CA

Install Web Server (IIS) Role.
Create the CertEnroll Folder and grant Share & NTFS permissions to the Cert Publishers group.
Create CertEnroll Virtual Directory in IIS.
Enable Double Escaping on IIS Server.
Install Enterprise Root CA using Server Manager.
Enable Object Access Auditing on CA.
Configure the AIA and CDP.
Publish the Root CA Certificate to AIA.
Export Root CA in .der format and convert the format to .pem.
Export personal certificate (that was signed by Root CA) with private key and place it on a PKI device.

Configuring the Environment for a Subordinate CA

Install Web Server (IIS) Role.
Create the CertEnroll Folder and grant Share & NTFS permissions to Cert Publishers group.
Create CertEnroll Virtual Directory in IIS.
Enable Double Escaping on IIS Server.
Install the Standalone Offline Root CA.
Create a CAPolicy.inf for the standalone offline root CA.
Installing the Standalone Offline Root CA.
Enable Auditing on the Root CA.
Configure the AIA and CDP.
Install Enterprise Issuing CA.
Create CAPolicy.inf for Enterprise Root CA.
Publish the Root CA Certificate and CRL.
Install Subordinate Issuing CA.
Submit the Request and Issue subordinate Issuing CA Certificate.
Install the subordinate Issuing CA Certificate.
Configure Certificate Revocation and CA Certificate Validity Periods.
Enable Auditing on the Issuing CA.
Configure the AIA and CDP.
Install and configure the Online Responder Role Service.
Add the OCSP URL to the subordinate Issuing CA.
Configure and publish the OCSP Response Signing Certificate on the subordinate Issuing CA.
Configure Revocation Configuration on the Online Responder.
Configure Group Policy to provide the OCSP URL for the subordinate Issuing CA.
Export Root CA in .der format and convert the format to .pem.
Export personal certificate (that was signed by subordinate CA) with private key and place it on a PKI device.

For more information see the articles on Single Tier PKI Hierarchy Deployment and Two Tier PKI Hierarchy Deployment.

To upload a new trusted root certificate:

In the PKI Method Settings Edit page, click Add.
Click Browse.
Choose a .pem certificate file and click Upload. A message is displayed that the trusted root certificate has been added.
Click Save.

NOTE:Only Root CA must be uploaded on appliance.

8.3.11 Radius Client

With the Radius Client Authentication Method the authentication framework will forward the authentication request to a third party RADIUS server. This can be any RADIUS server. A specific example of when to use this Authentication Method is if you have a working token solution like RSA, or Vasco and want to migrate your users to the Advanced Authentication framework. Some users will be able to still use the old tokens and new users can use any of the other supported Authentication Methods.

To use this method you will need to create an RADIUS Client on the third party RADIUS server with the hostname of IP address of this appliance. If you have multiple appliances you should add them all as RADIUS Clients.

The following configuration options are available:

Server: the hostname or IP address of the third party RADIUS server.
Secret: shared secret between the RADIUS server and the Authentication Framework.
Port: port to where the RADIUS authentication request is sent. The default is 1812.
Send repo name. If it's enabled, a repository name will be automatically used with a username. For example, company\pjones
NAS Identifier, the attribute is optional.

8.3.12 SMS OTP

The SMS OTP authentication method will send an SMS text to the user's mobile phone with a One-Time-Password (OTP). The user will receive this OTP and needs to enter it on the device where the authentication is happening. This authentication method is best used with a second method like Password or LDAP Password in order to achieve multi-factor authentication and to prohibit malicious users from sending SPAM a user's phone with authentication requests.

NOTE:In the user's settings, if the phone number is specified with extension, then SMS will not be delivered. Ensure that a phone number without extension is provided.

The following configuration options are available:

OTP Period: the lifetime of an OTP token in seconds. By default 120 seconds.The maximum value for the OTP period is 360 seconds.
OTP Format: the length of an OTP token. By default 6 digits.
Body: the text in the SMS that is sent to the user. The following variables can be used:
- {user} - the username of the user
- {endpoint} - the device the user is authenticating to
- {event} - the name of the event where the user is trying to authenticate to
- {otp} - this is the actual One-Time-Password.
User cell phone attribute: the cell phone number of a user that is used to send the OTP through an SMS. You can use custom attributes such as mobile, homePhone, ipPhone, and other attributes of a repository. You must also define the attribute in the User cell phone attributes section of Repository configuration.

NOTE:If you do not configure the attribute in the method settings, then the first attribute defined in the User cell phone attributes section of Repository configuration is used when the user tries to authenticate. For example, if you define mobile as the first attribute in User cell phone attribute and do not configure the attribute in method settings of SMS OTP, then while authenticating, the first attribute, which is the mobile attribute, is used for the SMS OTP method authentication.

8.3.13 Security Questions

This Authentication Method is mostly used in fall-back scenarios where a user does not have access to his normal strong authentication method. The authentication method works in such a way that a user needs to answer a series of questions that are pre-defined in this configuration section. When the user tries to authenticate using the Security Questions he or she will be provided with a random set out of these pre-defined questions. By answering the questions correctly the user will get access. Below you can configure how many of the answers should be correct before the user gains access.

IMPORTANT:This authentication method is not seen as secure and if possible should not be used.

When you decide to use this Authentication Method please follow some guidelines.

It is essential that we use good questions. Good security questions meet five criteria. The answers to a good security question are:

Safe: cannot be guessed or researched.
Stable: does not change over time.
Memorable: can be remembered.
Simple: is precise, easy, consistent.
Many: has many possible answers.

Some examples of good, fair, and poor security questions according to goodsecurityquestions.com are given below. For a full list please visit this website.

GOOD

What is the first name of the person you first kissed?

What is the last name of the teacher who gave you your first failing grade?

What is the name of the place your wedding reception was held?

In what city or town did you meet your spouse/partner?

What was the make and model of your first car?

FAIR

What was the name of your elementary / primary school?

In what city or town does your nearest sibling live?

What was the name of your first stuffed animal, doll, or action figure?

What time of the day were you born? (hh:mm)

What was your favorite place to visit as a child?

POOR

What is your pet's name?

In what year was your father born?

In what county where you born?

What is the color of your eyes?

What is your favorite _____?

The following configuration options are available:

Min. answer length: the minimum number of characters an answer should consist of.
Correct questions for logon: the number of questions a user should answer correctly to get access.
Total questions for logon: the number of questions the user needs to answer.

So when Correct questions for logon is set to 3 and the Total questions for logon is set to 5 then the user only needs to enter 3 correct questions out of a set of 5.

8.3.14 Smartphone

The Smartphone authentication method uses an app on your smartphone to do out-of-band authentication. This means that the authentication is happening over a different channel than the initiating authentication request.

For example, if you are logging into a website, then the Smartphone authentication method will send a push message to your mobile phone. When opening the Advanced Authentication app the user will be presented with an Accept and a Reject button where he can decide what to do. If the user pushes the Accept button the authentication request will be sent over the mobile network (secure) back to the Authentication framework. Without typing over an OTP code the user will be granted access.

When the smartphone doesn't have a data connection, a backup OTP authentication can be used.

This Authentication Method is best used in combination with another method like Password or LDAP Password in order to achieve multi factor authentication and protect the user from getting SPAM push messages.

The following configuration options are available:

Push salt TTL: the lifetime of an authentication request sent to the smartphone.
Learn timeout: the time the QR code used for enrolment is valid for the user to scan.
Auth salt TTL: the lifetime in which the out-of-band authentication needs to be accepted before authentication fails.
TOTP Length: the length of the OTP token used for backup authentication
TOTP step : the time a TOTP is shown on screen before the next OTP is generated. Default 30
TOTP time window: the time in seconds in which the TOTP entered is accepted. Default 300
Server URL: URL of Advanced Authentication server to where the smartphone app connects for authentication. For example, http://<AAServerAddress>/smartphone (/smartphone cannot be changed). Use http only for testing and https in a production environment. You will need a valid certificate while using https.

You can configure Geo-fencing with the Smartphone method. Geo-fencing allows you to authenticate with the Smartphone method with one more factor, which is the geographical location. When you enable geo-fencing, users will be able to authenticate with Smartphone from only allowed geographical locations. You must enable the policy Geo fencing options to use geo fencing.

To configure geo-fencing, you need to draw a boundary of the location to be authenticated with a polygon. To configure geo-fencing, perform the following steps:

Click the Geo Zones tab.
Click Add.
Specify the name of the zone.
Click the Search icon and specify the address to locate the required geographical location.

You can click the full screen icon to view the map in the full screen.
Click the polygon icon in the menu bar of the map.
Click the starting point on the map and draw the boundary of the specific location to be authenticated.
Click to mark the end point of the boundary after you have finished drawing the geo zone.

You can also edit the marked polygon by clicking the edit icon.
Click Save.

NOTE:If you use the geo-fencing feature, then ensure that access to the location is enabled for the NetIQ Advanced Authentication app on the smartphone.

Authentication flow

The following chart demonstrates the authentication flow:

A user is authenticating on endpoint (which can be the user's laptop with Advanced Authentication Windows Client installed or a website etc.) by Smartphone method.

The endpoint calls the Advanced Authentication Server.
It validates the provided user's credentials.
Advanced Authentication Server sends a push message to proxy.authasas.com.
It defines an appropriate push service for the using smartphone platform and forwards the push message to it.
The push message will be delivered to the user's smartphone. This is not required for a successful authentication and is only to inform the user.
When the user opens the app, the app checks at the Advanced Authentication Server if there is an authentication needed. If this is the case it will show the Accept and Reject buttons. This answer is send to the server.
Advanced Authentication Server validates the authentication. The authentication is done/ forbidden.

HTTPS protocol is used for the communication.

Access configuration

Advanced Authentication Server must be accessible by the specified Server URL address from smartphones (HTTPS, outbound).
Advanced Authentication Server must have a permitted outbound connection to proxy.authasas.com (HTTPS).

8.3.15 Swisscom Mobile ID

The settings allow you to configure the Swisscom Mobile ID authentication method. This method provides strong authentication based cryptographic materials that are stored and protected in the SIM card of a user’s mobile phone.

You can configure the following settings for this method:

Application provider ID: Identifier of the application provider.
Application provider password: Password of the application provider.
Swisscom Mobile ID service URL: Interface of the Swisscom Mobile ID.
Notification message prefix: Message that will be displayed on the user’s mobile as a notification.

The section also allows you to upload the Swisscom client certificates:

Choose a Client SSL certificate. The required certificate must be in a .pem format and should be self-signed certificate with a private key.
Specify the Private key password for the certificate.
Click Save.

NOTE:Users must activate the Mobile ID service for the Swisscom SIM card.

For more information on Swisscom Mobile ID, refer to the Mobile ID Reference guide.

8.3.16 Voice

The section contain security settings for Voice authentication method. Advanced Authentication will call user and the user will need to enter a pin code, which should be predefined in Advanced Authentication Self-Service Portal during the authenticator enrollment.

NOTE:Phone number with extensions are also supported for voice method.

Special characters , and x are used to indicate wait time and can be used as separators between phone number and extension.

For example, if +123456789 is the phone number and 123 is the extension, then it can be specified as +123456789,,,,123.

In the above example, , is specified 4 times and this multiplied by 0.5 (default value in Twilio) indicates the wait time, which is 2 (4*0.5) seconds. So at first, call is given to the number 123456789 and after a wait period of 2 seconds, the extension 123 is dialled.

It's possible to manage the following settings:

Minimum pin length. 3 digits by default. Usage of shorter pins is not allowed.
Maximum pin age. 42 days by default. It means that the pin will expire in 42 days and will need to be changed in the Advanced Authentication Self-Service Portal. If it's set to 0 the pin will not expire.
User cell phone attribute: the cell phone number of a user that is used to call the user for voice authentication. You can use custom attributes such as mobile, homePhone, ipPhone and other attributes of a repository. You must also define the attribute in the User cell phone attributes section of Repository configuration.

NOTE:If you do not configure the attribute in the method settings, then the first attribute defined in the User cell phone attributes section of Repository configuration is used when the user tries to authenticate. For example, if you define mobile as the first attribute in User cell phone attribute and do not configure the attribute in method settings of Voice, then while authenticating, the first attribute, which is the mobile attribute, is used for the Voice method authentication.

IMPORTANT:Notifications about expiring pins are not supported.

8.3.17 Voice OTP

The settings allow you to configure the Voice OTP authentication method. The user will receive this OTP in a call and the OTP has to be entered on the device where the authentication is happening. This authentication method is best used with a second method like Password or LDAP Password in order to achieve multi-factor authentication.

You can configure the following settings for this method:

OTP period: The time period for which the Voice OTP is valid. Default time is 120 seconds. The maximum value for the Voice OTP period is 360 seconds
OTP format: The length of the Voice OTP token. Default length is 4 digits.
Body: The text/number in the Voice OTP that is sent to the user. Here, you can enter the {otp} variable, which is the actual One-Time-Password. To repeat the One-Time Password during the call you may enter: Use the OTP for authentication: {otp}. OTP: {otp}.
User cell phone attribute: the cell phone number of a user that is used to send the OTP through call. You can use custom attributes such as mobile, homePhone, ipPhone and other attributes of a repository. You must also define the attribute in the User cell phone attributes section of Repository configuration.

NOTE:If you do not configure the attribute in the method settings, then the first attribute defined in the User cell phone attributes section of Repository configuration is used when the user tries to authenticate. For example, if you define mobile as the first attribute in User cell phone attribute and do not configure the attribute in method settings of Voice OTP, then while authenticating, the first attribute, which is the mobile attribute, is used for the Voice OTP method authentication.